CVE-2014-8598

critical

Description

The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.

References

https://github.com/mantisbt/mantisbt/commit/80a15487

https://exchange.xforce.ibmcloud.com/vulnerabilities/98573

http://www.securityfocus.com/bid/70996

http://www.openwall.com/lists/oss-security/2014/11/07/28

http://www.mantisbt.org/bugs/view.php?id=17780

http://www.debian.org/security/2015/dsa-3120

http://secunia.com/advisories/62101

Details

Source: Mitre, NVD

Published: 2014-11-18

Updated: 2017-09-08

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical